Cybersecurity: EU Commission continues to tweak NIS2 Directive

Contents

Since December 6, 2025, the provisions of the NIS2 Directive have been implemented into German law. Many companies that provide critical services or carry out corresponding activities have since had to establish company-wide cybersecurity risk management – from processes and supply chains to management. Hardly has the implementation in Germany been formally completed, when the EU Commission is already following up: Yesterday, Tuesday, it presented a new cybersecurity package, including proposals for amending the NIS2 Directive. Some proposed amendments are significant and are likely to have immediate effects on companies.

So far, the rule is: Primarily, those who are at least a medium-sized enterprise are regulated – depending on the sector, they are then classified as “important” or even “essential” entities. The latter category entails more intensive supervision and additional proof requirements. The Commission now wants to create a new intermediate category: “small mid-caps”. This refers to companies that are no longer SMEs but have fewer than 750 employees and either a turnover of no more than €150 million or a balance sheet total of no more than €129 million.

The practical effect: Small mid-caps should generally no longer be considered essential entities simply because they carry out activities from Annex I – but as a rule, “only” as important entities. This should noticeably reduce the number of essential entities.

Electricity Generators and Chemicals

In the recitals, the Commission unusually openly admits that there is considerable legal uncertainty regarding the NIS2 Directive. The scope for electricity generators, for example, is particularly controversial, including the question whether even small photovoltaic systems can trigger affectedness. The proposed amendment draws a clear threshold here: Only electricity generators from 1 MW onwards are to be covered.

Rather technical, but important for delimitation: In the area of “production, manufacture and trade in chemical substances”, a reference error is being corrected. In the future, only manufacturers and traders whose products require registration under the REACH Regulation will be covered here.

Dual-Use Infrastructure Newly Covered

Strategic dual-use infrastructure is to be newly covered. This is infrastructure with a dual purpose, i.e., civilian and military. An inclusion of owners, operators, and responsible parties, regardless of size, is planned. However, the decisive factor is: Member States must first determine which infrastructure falls under this category at all. Without a national determination, there will be no automatic affectedness even if the EU proposal is implemented.

The Commission also wants to facilitate compliance: In the future, cybersecurity compliance could be demonstrated through European certifications. Member States may require important and essential entities to do so. Furthermore, the Commission addresses a known practical problem: suppliers and service providers of regulated companies are often subjected to questionnaires and information requests. Guidelines are planned to reduce duplication of work.

What remains unchanged is striking: The Commission does not foresee any adjustments for managed (security) service providers, cloud computing, and data center services. This suggests that the affectedness of internal group IT structures is generally intended.

It's still just a proposal

Currently, only a proposal from the EU Commission is available. Nothing has changed immediately in the legal situation – and even if it comes into force in the EU, what matters for companies will continue to be what national implementation laws regulate. As long as national regulations are not adapted, possible relief will not apply.

Especially considering the already tough NIS2 implementation in Germany, it is unclear how quickly national legislation would be adapted in this case. However, it is conceivable that individual elements, such as the 1 MW threshold – could indirectly play a role in the interpretation of existing provisions (e.g., § 28 para. 3 BSIG) even before that.

(mack)